Fix pinning of github actions (#5213)

It is recommended to pin github actions with hash so that an action is not posing an unknown security risk (as the actions itself is not written by us). Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2025-10-27 16:24:19 -04:00 · 2022-03-01 11:32:00 -08:00
parent 402c08fea0
commit 6c26446bb7
11 changed files with 28 additions and 28 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,15 +20,15 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@75f07e7ab2ee63cba88752d8c696324e4df67466
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@75f07e7ab2ee63cba88752d8c696324e4df67466

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@75f07e7ab2ee63cba88752d8c696324e4df67466
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -17,7 +17,7 @@ jobs:
      DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
      RELEASE: ${{ github.event.inputs.release || github.event.release.tag_name }}
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
      - name: Build Docker Images
        run: make VERSION=${RELEASE:1} DOCKER=coredns -f Makefile.docker release
      - name: Show Docker Images
--- a/.github/workflows/go.coverage.yml
+++ b/.github/workflows/go.coverage.yml
@@ -6,13 +6,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
        with:
          go-version: '1.17.0'
        id: go

      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Build
        run: go build -v ./...
@@ -24,4 +24,4 @@ jobs:
          done

      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2.1.0
+        uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b
--- a/.github/workflows/go.fmt.yml
+++ b/.github/workflows/go.fmt.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Fmt
        run: |
--- a/.github/workflows/go.test.yml
+++ b/.github/workflows/go.test.yml
@@ -6,13 +6,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
        with:
          go-version: '1.17.0'
        id: go

      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Build
        run: go build -v ./...
@@ -28,13 +28,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
        with:
          go-version: '1.17.0'
        id: go

      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Build
        run: go build -v ./...
@@ -47,13 +47,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
        with:
          go-version: '1.17.0'
        id: go

      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Build
        run: go build -v ./...
@@ -71,7 +71,7 @@ jobs:
        run: sudo apt-get install make curl

      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Test Makefile.release
        run: make GITHUB_ACCESS_TOKEN=x -n release github-push -f Makefile.release
--- a/.github/workflows/go.tidy.yml
+++ b/.github/workflows/go.tidy.yml
@@ -9,13 +9,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
        with:
          go-version: '1.17.0'
        id: go

      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Tidy
        run: |
--- a/.github/workflows/make.doc.yml
+++ b/.github/workflows/make.doc.yml
@@ -9,10 +9,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
        with:
          go-version: '1.17.0'

--- a/.github/workflows/reviewdog.yml
+++ b/.github/workflows/reviewdog.yml
@@ -10,14 +10,14 @@ jobs:
    name: Go Fmt
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
      - run: find . -not -path '*/\.git/*' -type f -name '*.go' -exec gofmt -s -w {} \+
-      - uses: reviewdog/action-suggester@v1
+      - uses: reviewdog/action-suggester@650721aae74ec5d8b0cae75cf980720f1b60cef3

  whitespace:
    name: Whitespace
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
      - run: find . -not -path '*/\.git/*' -type f -not -name '*.go' -exec sed -i 's/[[:space:]]\{1,\}$//' {} \+
-      - uses: reviewdog/action-suggester@v1
+      - uses: reviewdog/action-suggester@650721aae74ec5d8b0cae75cf980720f1b60cef3
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v4
+      - uses: actions/stale@7fb802b3079a276cf3c7e6ba9aa003c665b3f838
        with:
          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days'
          stale-pr-message: 'This pull request is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days'
--- a/.github/workflows/whitespace.yml
+++ b/.github/workflows/whitespace.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

      - name: Remove Trailing Whitespaces
        run: |
--- a/.github/workflows/yamllint.yml
+++ b/.github/workflows/yamllint.yml
@@ -7,9 +7,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout'
-        uses: actions/checkout@master
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
      - name: 'Yamllint'
-        uses: karancode/yamllint-github-action@master
+        uses: karancode/yamllint-github-action@dd59165b84d90d37fc919c3c7dd84c7e37cd6bfb
        with:
          yamllint_file_or_dir: '.'
          yamllint_strict: false